How does Blackberry Blend actually (and securely) accomplish its "magic"?

My Google-Fu is not turning up anything that explains at a technical level HOW Blackberry Blend actually works.

I did see mention about it not being a cloud service, and that when you disconnect from the Blend software the files/features on the phone are then no longer accessible from the computer/tablet/whatever you're running Blend on.

If my BB is exclusively a personal device, and NOT BYOD / "Balanced" into my work network, and not connected to my company WiFi -- but I have the Blend software installed/working on my work computer, is it secretly tunneling through my company firewall to find/connect with my BB if I accidentally leave it at home? How?

Does the Blend process allow connections the opposite way (phone at home, Blend software open and running at work)? How?

If my phone is at home only connected to the cellular network, and I am somewhere else with a WiFi tablet running Blend, HOW is the tablet "talking" to my BB at home? Is it going through some VPN tunnel to the BB NOC and then jumping out onto the cellular data network so it can find and connect to my phone?

What if my phone is at home connected to WiFi only, and doesn't have the cellular data connection active? How is the Blend software running on the tablet able to get through my ISP's inbound firewall on my DSL line, and then getting through my physical firewall/router at home?

I have enough technical knowledge to understand about the components likely involved (LAN, VPN, NOC, firewalls, etc) but am at a loss as to how they all actually interconnect to make Blend *securely* work its magic.

Any insights?
URLs?
Personal phone numbers of the BB software engineers who wrote it? ;-)

Cursory examination of the extracted Blend bar shows it to be a Nginx server running on-device. Blend software is just a dumb client. It's the opposite of how Remote File Access works through Link. As for what happens between the client and phone, that's beyond me.

Alas, I don't have a Passport yet, and AT&T hasn't pushed 10.3 yet for my Q10 -- so I don't have anything to test for myself via ipconfig. :-(

The whole "in case you accidentally leave your phone at home" thing is appealing -- but since it's my personal phone and not connected as BYOD -- it's looking like using Blend on my work computer is probably going to violate a zillion corporate data policies -- especially if Blend is going to merrily let me drag-n-drop files into it and magically whisk them away.

Or does the file stay on my work computer, and Blend has to be open/running on it so it can make the file editable from my phone through the tunnel? (But if it lets me save-as from the phone side, and/or attach it to an email, that still puts the content outside the firewall since I'm not on BES / Balance.)

Also, since BB doesn't have any kind of "cloud for consumers" -- and I don't / wouldn't trust any other cloud provider -- the "access files on your home computer remotely from your phone" is also appealing. But I don't want an open port on my firewall. So if my Q10 can't "phone home" (ha ha), the connection has to be outbound from my PC with Blend running. Establishing half a VPN tunnel out from my PC to the NOC, and another half a VPN tunnel out from my phone to the NOC sounds awfully man-in-the-middle-ish.